TrueCrypt has been compromised...

[AstroZombie1]

 

The website of popular drive-encryption software TrueCrypt has been ripped up and replaced with a stark warning to not use the crypto-tool. It's also distributing a new version of the software, 7.2, which appears to have been compromised.

It's feared the project, run by a highly secretive team of anonymous developers, has been hijacked by unknown parties. The easy-to-use data-protecting utility is favored by NSA whistleblower Edward Snowden and his journo pals, as well as plenty of privacy-conscious people.

 

Beginning on Wednesday, the TrueCrypt homepage redirects visitors to a SourceForge-hosted page that displays a message to the effect that the software has been discontinued – and that users should switch to an alternative:

 

Source - theregister.co.uk

[TheSLSAMG]

O__O

 

This doesn't affect me, but that sucks.

[wilbso]

Didn't even know this existed..but that sucks. Doesn't sound good. Seems pretty pointless why though.

[qwertywarrior]

Possible malware served after SourceForge switcheroo

[WanderingFool]

Well this is depressing...really makes you wonder, how many security application are actually secure

[Imaginaerum]

Well this is depressing...really makes you wonder, how many security application are actually secure

A resounding zero.

 

Guess they'll fix this and it'll take another ten years to crack it.

[Morpheus]

well this is very disappointing ...

[ionbasa]

I feel as if the devs are trying to tell us some government agency is to blame:

https://en.wikipedia.org/wiki/Warrant_canary

[Mooshi]

This seems highly suspect that encryption software that's been secure is suddenly bowing down and suggesting you use Microsoft's solution...a company well known to bow down to NSA whims and is part of project PRISM. This gives a foul odor.

[Askew]

So is it possible the website has been hijacked but the software hasn't actually been cracked?

Seems fishy.

[AndThenThereWas1]

There was an audit done recently of truecrypt. Nothing in the audit hints towards there being any major security issues.

[ionbasa]

So is it possible the website has been hijacked but the software hasn't actually been cracked?

Seems fishy.

Well, an update was released with TrueCrypt's signed key. The new "Update" disallows encrypting disks, only decrypting disks. The new binaries also have popup messages informing the user that "Truecrypt is no longer secure".

 

This all seems out of place.

 

My two hypotheses are:

• A rogue developer(s) planned this out to deface TrueCrypt
• A govt entity has a gag order from some court, and this is TrueCrypts Warrant Canary warning: https://en.wikipedia.org/wiki/Warrant_canary

Also of note is the twitter account of Matthew Green, who was auditing TrueCrypt:

https://twitter.com/matthew_d_green

 

He has a few posts which seem to imply a message:

 

Infer what you want, but it does seem as if TrueCrypt has been compromised at some level.

[Askew]

Well, an update was released with TrueCrypt's signed key. The new "Update" disallows encrypting disks, only decrypting disks. The new binaries also have popup messages informing the user that "Truecrypt is no longer secure".

 

This all seems out of place.

 

My two hypotheses are:

• A rogue developer(s) planned this out to deface TrueCrypt
• A govt entity has a gag order from some court, and this is TrueCrypts Warrant Canary warning: https://en.wikipedia.org/wiki/Warrant_canary

Also of note is the twitter account of Matthew Green, who was auditing TrueCrypt:

https://twitter.com/matthew_d_green

 

He has a few posts which seem to imply a message:

Capture.PNG

Capture2.PNG

Capture3.PNG

 

Infer what you want, but it does seem as if TrueCrypt has been compromised at some level.

 

Yes I would agree, it just seems to be evidence that a power shift has occured behind the scenes, and just the face of the situation is being altered.

[ionbasa]

Yes I would agree, it just seems to be evidence that a power shift has occured behind the scenes, and just the face of the situation is being altered.

Also, another sign that TrueCrypt may have been compromised:

One of the security analysts, Kenn White, involved with the truecrypt audit tweeted that the timestamp of the compiled binary for Windows is showing UTC-7 hrs, or better known as PDT (USA -West Coast).

It was believed that one of the developers may have been located in Poland, explaining why all of the binaries were built and timestamped with UTC+1 or UTC+2 previously.

 

If the timestamp is to be believed, it means that the latest version of TrueCrypt may have been compiled by someone other than the true developers, more specifically someone located in the west coast of the United States, rather than in Europe.

 

As of now my personal advice to everyone is to not touch the latest 7.2 binary. Given that TrueCrypt's signing key may have been compromised, there may be malware hidden in the latest release.

[Mooshi]

In theory, the 7.1 installer should still be fine. Never really hardcore used Truecrypt, but I kept an installer just in case. If this 7.2 is all pandering to Microsoft and their blatant NSA ties, I want nothing to do with this entire mess. I have confidence that pre pandering Truecrypt should still be fine.

[LAwLz]

This smells really fishy.

My guess is that something happened to the developer and he thought this was the best way of dealing with it.

That he recommends bitlocker is really strange though.

Guess everyone will have to change over to GnuPG or something similar now. It's a shame TrueCrypt uses its own stupid license as well, otherwise someone would just have been able to fork it.

[JantsoP]

Well i kinda saw this happening due Heartbleed and such. Also the latest Trucrypt version what i got few months back was dated to year 2012 or something (Downloaded from truecrypt)

[ionbasa]

This smells really fishy.

My guess is that something happened to the developer and he thought this was the best way of dealing with it.

That he recommends bitlocker is really strange though.

Guess everyone will have to change over to GnuPG or something similar now. It's a shame TrueCrypt uses its own stupid license as well, otherwise someone would just have been able to fork it.

The latest release had the license changed actually. It no longer contains the advertising clause. Strangely enough it encourages people to now fork the latest release.

 

Although this may imply that the latest 7.2 binaries are safe to use, there is no way of knowing if the latest binaries were compiled from the source code provided. After doing some research, it seems the latest binaries cannot be recreated from the source provided because of signature differences. 

[LAwLz]

The latest release had the license changed actually. It no longer contains the advertising clause. Strangely enough it encourages people to now fork the latest release.

 

Although this may imply that the latest 7.2 binaries are safe to use, there is no way of knowing if the latest binaries were compiled from the source code provided. After doing some research, it seems the latest binaries cannot be recreated from the source provided because of signature differences. 

Truecrypt's Windows binaries have always been really hard to reproduce (which have lead people to believe that the precompiled binaries don't use the source code posted on the website) so there isn't really any surprise there.

If they changed the license to clearly allow forking then that's good news.

[DLM_012]

in after NSA

 

Soon enough we will have no decently secure software to use. Compromising SSL and now one of the popular drive encryption tools.

[alpenwasser]

I'm not at all a conspiracy nut, but I must admit that this has

me rather severely worried.

Or, in technical terms: Holy shit! :wacko: :blink:

[Cillit_Bang]

hmm just stumbled upon this:

 

looking at the waybackmachine it seems that older versions of the truecrypt-website are blocked.

 

 

http://web.archive.org/web/www.truecrypt.org

 

Translation:

Accesserror

The Access to this content is blocked. Blocked Site Error

[Opcode]

So much for that project.

[Visionnn]

What if they just said that Trucrypt has be comprimised but it actually isn't?

[Morpheus]

What if they just said that Trucrypt has be comprimised but it actually isn't?

it's a possibility